[SECURITY] [DLA 2638-1] jackson-databind security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2638-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
April 25, 2021 https://wiki.debian.org/LTS
- -----------------------------------------------------------------------
Package : jackson-databind
Version : 2.8.6-1+deb9u9
CVE ID : CVE-2020-24616 CVE-2020-24750 CVE-2020-35490
CVE-2020-35491 CVE-2020-35728 CVE-2020-36179
CVE-2020-36180 CVE-2020-36181 CVE-2020-36182
CVE-2020-36183 CVE-2020-36184 CVE-2020-36185
CVE-2020-36186 CVE-2020-36187 CVE-2020-36188
CVE-2020-36189 CVE-2021-20190
Multiple security vulnerabilities were found in Jackson Databind.
CVE-2020-24616
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the
interaction between serialization gadgets and typing, related
to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
CVE-2020-24750
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the
interaction between serialization gadgets and typing, related
to com.pastdev.httpcomponents.configuration.JndiConfiguration.
CVE-2020-25649
A flaw was found in FasterXML Jackson Databind, where it did not
have entity expansion secured properly. This flaw allows
vulnerability to XML external entity (XXE) attacks. The highest
threat from this vulnerability is data integrity.
CVE-2020-35490
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
CVE-2020-35491
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
CVE-2020-35728
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
(aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
CVE-2020-36179
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36180
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36181
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36182
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
CVE-2020-36183
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related
to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
CVE-2020-36184
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
CVE-2020-36185
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
CVE-2020-36186
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
CVE-2020-36187
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
CVE-2020-36188
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDICS.
CVE-2020-36189
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interaction between serialization gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.DMCS.
CVE-2021-20190
A flaw was found in jackson-databind before 2.9.10.7. FasterXML
mishandles the interaction between serialization gadgets and
typing. The highest threat from this vulnerability is to data
confidentiality and integrity as well as system availability.
For Debian 9 stretch, these problems have been fixed in version
2.8.6-1+deb9u9.
We recommend that you upgrade your jackson-databind packages.
For the detailed security status of jackson-databind please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmCEhEQACgkQgj6WdgbD
S5b0phAArpP2x7hIraTYxLJZNipQ+fLfO/psFKiJYMcajpEJ58KOm12m2wDYYDOx
PqWdE4xYDHC9A2voXAf2kOzEssJffYfquM7drKJx2Pi2PoHF0KK56l41buPxFGf5
yA/99egR6itnpmnDsQy1bhbfJS1C1PMJVFr+U0HygQmfWYzbf3YVGYsgz5W0ReJ8
ywSxCkDrEnRW19UL25DvIAb8lldtT3iV9RUGomV1e0Bpy/lQa3QLNfS/K1f61a3U
dsIa+ImqZnNH6zoagiJyFmoOkmpwoAp3QUhQ+fBu/9Lk1ImtpH1ResyDLlp538t6
VjDC0Ib9Nm9s4QOvaW9ut/0pHHVtyGuoZQKmwXSy7Y69mQA/P3fVgCugoIDRBMbE
EkJGyjHLYDPAQmrF9FsBVj+Di181Dv4ALlKUjbvvCZjyA9YGPHd8XpHqmrAW0b9s
ybBGAz0MhgZNlH+ZErLRWPHa+2d0jIp4yKTJPQRDHY+HDeG+q8/lFXYKnDFtLC18
bwXu1ExFGBW16bmdjIiaR7x2OcIBP/hXWSpga+O2Qs1ojfA2NIoM6BKpJw8ZIwtR
jCcgMNmPsc6V47J0zuY/yuBO8FgOq3rjScUpGs+wevaxKx/2hge2jogP8bnth8P6
GAgG7VlQ2VXbPzzHdskzqZqtmLqVZGURBD+qgT9DV1jVLRrnIo0=
=pfKI
-----END PGP SIGNATURE-----
Reply to: